docs: add non-interactive ssh-add patterns to ssh howto

Cover passphrase injection via script(1) with env vars and the SSH_ASKPASS alternative for headless automation.
2026-02-22 02:13:32 +01:00
parent 5aaa290b76
commit 7e8661f68b
1 changed files with 28 additions and 0 deletions
--- a/topics/ssh.md
+++ b/topics/ssh.md
@@ -68,6 +68,34 @@ ssh-add -D
 ssh -A user@bastion                    # remote can use your local keys
 ```

+### Non-Interactive ssh-add (passphrase from env)
+
+`ssh-add` insists on a terminal for passphrase input. Use `script` to fake a TTY and feed the passphrase from an environment variable:
+
+```bash
+# SSH_KEY_PASS must be set (e.g. sourced from a secrets file)
+{ sleep 0.1; echo "$SSH_KEY_PASS"; } | script -q /dev/null -c "ssh-add $HOME/.ssh/id_ed25519"
+```
+
+Useful in automation (CI, cron, Ansible) where no interactive terminal exists.
+
+```bash
+# Full pattern: source secrets, start agent, add key
+source ~/.bashrc.secrets               # exports SSH_KEY_PASS
+eval "$(ssh-agent -s)"
+{ sleep 0.1; echo "$SSH_KEY_PASS"; } | script -q /dev/null -c "ssh-add $HOME/.ssh/id_ed25519"
+ssh-add -l                             # verify key loaded
+```
+
+Alternative with `SSH_ASKPASS` (avoids `script`):
+
+```bash
+export SSH_ASKPASS_REQUIRE=force
+export SSH_ASKPASS="$(mktemp)" && printf '#!/bin/sh\necho "$SSH_KEY_PASS"' > "$SSH_ASKPASS" && chmod +x "$SSH_ASKPASS"
+ssh-add ~/.ssh/id_ed25519
+rm -f "$SSH_ASKPASS"
+```
+
 ## Config File (~/.ssh/config)

 ```ssh-config